1.1 KiB
1.1 KiB
OpenTofu Encrypted State
Encrypted state is a very exciting feature of OpenTofu that allows you to encrypt your state files at rest, so you can check them into version control without worrying about sensitive data being exposed.
Setup
To use encrypted state you need to setup an encryption block in your terraform configuration. This block specifies the encryption provider and the key to use for encryption.
terraform {
encryption {
key_provider "pbkdf2" "key_provider" {
passphrase = var.encryption_passphrase
}
method "aes_gcm" "method" {
keys = key_provider.pbkdf2.key_provider
}
state {
method = method.aes_gcm.method
enforced = true
}
plan {
method = method.aes_gcm.method
enforced = true
}
}
}
In this example we will need to provide a passphrase in our you.auto.tfvars file:
encryption_passphrase = "my-super-secret-passphrase"
or in CI we can run it as an environment variable:
export TF_VAR_encryption_passphrase="my-super-secret-passphrase"